Wednesday, June 23, 2010

OLD BOOTROM + Spirit => 4.0 JB

Updated for FW 4.0/4.0.1 + 'Star' jailbreak. You'll need NOR files from a custom 4.0 ipsw made with PwnageTool 4.0.1.You still obviously need to have an old bootrom 3GS, however you don't currently need any SHSH while Apple still signs 4.0.1The fact that Star jailbreak uses Safari, however, means it will be patched in weeks, so back up those hashes while you can..Now that 4.0 is jailbroken, potential uses of this method include installing 4.1 betas, rolling back to 3.x and similar fun activities.

STOP if you have a new bootrom (week 40+, tethered only 3.1.2 JB etc). Here's how to check bootrom ver
- your hardware is iPhone 3GS with OLD BOOTROM
- you HAVE 3.1.3 SHSH(**)
- you DON'T have 3.1.2 SHSH (otherwise, just use blackra1n/redsn0w).
- you WANT iOS4/JB

Update: thanks to moviefor those awesome step by step instructions!Update2: someone made a Cydia package. Looking at type of questions people ask in the comments, that might be the only option for 80% of them. Apple's license terms, of course, don't allow to redistribute their binaries, so I just link to it. Their description also says it works with 3.1.2/Spirit - I very much doubt that.

This tool can be used to flash pwned nor files (containing LLB exploit) on the phone running Spirit JB (script has hardcoded offsets for 3.1.3 3GS).

Unpack pwned(!)3.1.3 firmware, copy all the files from iPhone2,1_3.1.3_7E18_Custom_Restore\Firmware\all_flash\all_flash.n88ap.production folder to /tmp directory your phone. You can use CyberDuck or WinSCP to do that. Copy those files directly to the /tmp, not to a subfolder: LLB should be at /tmp/LLB.n88ap.RELEASE.img3, etc.!

Extract the contents of the spirit2pwn_r2.zip archive to /tmp directory on the phone.

Run the following commands on the iPhone: (Use ssh or PuTTY).

cd /tmp

chmod 755 pwn_old_boot_r2.sh
./pwn_old_boot_r2.sh

Now reboot and your iboot and llb should be pwned, and you can restore to a custom FW now.

Thanks Gojohnnyboi for code, ZeRoLiMiT for testing ;)

(**) Technically, you can still do that if you don't have 3.1.3 SHSH, but then if you don't really have old bootrom or if you use wrong ipsw files, your only option will be to upgrade to 4.0 and stay without jailbreak or unlock until a new exploit is made public.

Is there anyway to flash, upload, or otherwise run a pwned iBoot/LLB when you haven't had your SHSH backed up before? I just got this 3G[s], came with 4.0 but has the old bootrom, and the original seller never backed up the SHSH blobs for 3.1.x.

Ok all these instructions make sense for the most part to me. As far as a pwned 3.1.3 FW is this something I should build with Pwnage Tool or Redsn0w? I'm on the old bootrom, spirit JB, 3.1.3 blobs on file but now 3.1.2. I just want to make sure that I do this 100% correct as I depend on my 3G[S] for tethering right now...So if someone could point me in the right direction as far as that file goes that would be greatly appreciated(FYI I have a pwned 3.1.2 FW, can I extract and use the file from that?)

Also what is the easiest way to unpack an ipsw in OS X....if somebody could supply me with the necessary files via email if they aren't too large that would be very helpful as well....Thanks in advance!

Ok I pwned 3.1.3 w/ pwnage and used safari to extract the pwned FW...copied it to /tmp on the iPhone as well as the extracted zip file and it seems that there was an issue with flashing the NOR....here is the output I received.....

@frenchderf: Not this package: patches are just for 313 kernel.Although it's possible to rewrite it for 312, it doesn't make any sense - just use redsn0w or blackra1n on 312.

@Dimitrios-Geo: ask someone with better terminal skills to do those steps for you?Just make sure you use files from 313 ipsw pwned by PwnageTool and all files are in /tmp directory.Also I'd recommend SSH over mobileTerminal, as you can copy-paste the log if you are unsure about results.

Thanks for the script. I tried it twice, but I can't get it to work :( The script completes succesfully, no errors, but when I turn the iPhone off to start in recoverymode, it gets stuck in DFU-only mode. In this mode, I am also unable to restore to the 4.0 custom. I have to do a full restore to 3.1.3 and re-jailbreak. Do you know what I might be doing wrong? Thanks :)

Hmm that was weird, the script worked on my second shot though. Only problem is iTunes is now throwing out a 1600 error when I try to do a custom restore and I'm stuck in DFU for now....gonna try to rebuild iOS with pwnage again and see what happens....

@Mike: double-check that you're on old bootrom http://www.redmondpie.com/how-to-check-iphone-3gs-bootrom-iboot-version; paste the output of the script to pastie.org and post the link here@Norman Yau: does your phone boot ok after the described steps? If it doesn't, you might have new bootrom or have done something wrong. Again, post a log. Make sure you restore from recovery mode and not DFU. Try custom fw generated by PwnageTool 4.0.1 if the snowbreeze one doesn't work. Remember you need iTunes 9.2 to restore 4.0 fw.

@Oren: maybe you need to 'su root' in MobileTerminal first? Haven't tried that since it's broken on iOS4. -(On donations: feel free to donate to msft.guy@gmail.com (paypal), but people like comex (author of Spirit JB) deserve a donation far more ;) Dev Team too, for the 24kpwn, but they only accept postcards ;)

@mike: I think posixninja has a tethered exploit and looks like Spirit was just ported to 4.0 (but not open yet); and unlock is already there, just don't update to official 4.0.1 etc so that you can unlock after JB is released.

@Norman Yau: OK, so the method itself works. I'm still confused about what exactly happens after you do those steps and reboot - does the phone boot or not? If it does not boot, there is something wrong with the pwned firmware you used: it's either original ipsw, or the pwnage tool/snowbreeze didn't work properly, or it's the wrong version (like 4.0 instead of 3.1.3). Now, if your phone does boot but you cannot update to pwned 4.0, it's most likely a problem with your custom 4.0 firmware. make sure you are restoring in Recovery and not DFU. Try creating it on another mac or something.. also post restore log to pastie.org.

So I followed the steps, and I was able to pwn my 3.1.3. When I did a shift+restore, itunes says "restoring iphone software" and iphone shows bar, but it then gives me error (2) and does not restore to 4.0

i managed to throw everything you say on tmp, but then because i never used ssh before.....maybe i do the command step wrong... i dont really know how to use ssh, it was always easier, not to mention safer, to connect with "phoneview" .

Hi, I followed all your instructions. After pwn_old_boot_r2.shand a successful message, I went ahead and rebooted the phone. Now it looks like its on DFU mode and I can not restore it in iTunes since its giving me the 1600 error any ideas?

Thanks! It's really works! BUT!I cannot connect to itunes (ver. 9.2)! I try on PC and on Mac too. iPhone is not show in itunes. I changed USB ports, cables, reinstall itunes but all not success.Please say what can I do with it?Can I firmware on iOS 4 custom once more now?

@MaxR: iPhone2,1_3.1.3_7E18_Custom_Restore.ipsw is the filename of custom FW (made with PwnageTool). Whether or not you have it in the file path depends on which unarchiver you use.

@Livon: That's really weird. Did the USB work before restoring to custom iOS4? In any case, you can now restore to custom FW (even downgrade) unless you accidentally install the original FW. Can you see iPhone in the device manager? Did you make this custom FW 4 with Pwnage Tool 4.0.1?

2 msft.guy:Thanks for your reply.Yes, USB is worked before I firmware to 4.0 using your instructions.In device manager I see iphone in section "Mobile devices" but not in USB Controllers (sorry this may be not same in English version of Windows, because I have some localized Win7). It must be in Usb controllers too?And yes, I create 4.0 custom using Pwnage Tool 4.0.1 on Mac.And I just firmware once more to 4.0 custom (did on Mac).And I have now: itunes on mac can view iPhone, but on Win NO !I understand this is very strange. I think problem in my itunes on Win?

@Dimitrios-Geo: No. The reason you are getting the 'needservice.a518920x.img3 missing' error is you. You've failed to read the instructions and are trying to flash 4.0 fw when the instructions clearly say custom 3.1.3If you really have old bootrom as you've mentioned earlier then your phone won't boot and you'll have to restore to 3.1.3 if you've saved those SHSHs, or to 4.0 if you haven't.

@Livon: if you have installed libUSB on Windows, it can interfere with iTunes USB drivers. Otherwise, reinstalling Windows in upgrade mode might be faster and will save your data and settings..

@msft.guy: TQ...I figured it out and upgrading from spirited 3.1.3 to 4.0 using pwnagetool custom fw ran like a charm with ONLY 1 MAJOR PROBLEM...No carrier signal...FYI my 3GS was factory unlocked when I bought it last year. This also happened when i upgrading from 3.1.1 to 3.1.3 and the best fix i can find that time was...restore with original fw than run spirit. With no spirit for 4.0, what option i have to solve my problem and have a jailbroken one?

7.) Open up Cyberduck and connect your Mac to your iPhone. To use this you need:a.) IP address of iPhoneb.) username which is: rootc.) password which is alpine (unless you changed it)d.) Connect Cyberduck to your iPhoned.) Navigate to the /tmp folder

8.) Go to your files in STEP 1.) (custom firmware for 3.1.3 3Gs that you downloaded) and navigate to the subfolder called: all_flash.n88ap.production folder.Take all the files in that folder and copy into the /tmp folder using Cyberduck. Should be 14 files total.

9.) Go to your files in STEP 3.) (spirit2pwn_r2 you downloaded). Take all the files in that folder and copy into the /tmp folder using Cyberduck. Should be 2 files total.

NOW YOUR SET TO FLASH!!!

10.) Now go to your iPhone and open up MobileTerminal.

a.) TYPE: su root(may ask for password)HIT RETURN

b.) TYPE: cd /tmpHIT RETURN

c.) TYPE: chmod 755 pwn_old_boot_r2.shHIT RETURN

d.) TYPE: ./pwn_old_boot_r2.shHIT RETURN

It will start flashing the files on your iPhone. It will pause a few times. WAIT! don't do anything. WAIT until it's completely done and says [SUCCESS] as the bottom.

11.) REBOOT your iPhone.

12.) plug your iPhone into iTunes. press the OPTION key as you click on RESTORE in iTunes. Make sure you are connected to the internet.

13.) Navigate to the file: iPhone2,1_4.0_8A293_Custom_Restore.ipswYou created in STEP 2a.) or STEP 2b.)

14.) iTunes will RESTORE your iPhone using iPhone2,1_4.0_8A293_Custom_Restore.ipsw (Does not take that long)

15.) iPhone will REBOOT and then iTunes will prompt you to RESTORE your files from a BACKUP or as a NEW Phone.

@Dinesh, @Elijah: Assuming the script executed successfully, you've probably used incorrect ipsw.You need to use 3.1.3 custom ipsw made using PwnageTool (or sn0wbreeze, but if you don't have 3.1.3 SHSH on file, I'd recommend sticking to PwnageTool).Now you have to put the phone in DFU mode (although it's probably already in DFU now) and restore to 3.1.3 (if you have saved SHSH) or to 4.0 (if you have not).After you restore to 3.1.3, try reading the instructions more carefully.

@movie i am I correct in assuming iTunes 9.2 needs to be used in order to restore to the custom iOS 4 ipsw? Also it looks like you didn't use recovery mode while restoring the custom ipsw, is this correct?

Hi,i have an iphone 3gs with OLD bootrom and the not jailbroken iOS4. I had 3.1.3 with Spirit on it before but hadn't saved the SHSH. Is there any chance to get back to 3.1.3 without the SHSH. The walkthrough sounds very simple but i can't go for it without having a jailbreak and a terminal on the iphone. it makes me mad...

@MoveThank you for your awsome step by step guide. one question about your instruction on 7.) Open up Cyberduck and connect your Mac to your iPhone. To use this you need:a.) IP address of iPhoneb.) username which is: rootc.) password which is alpine (unless you changed it)d.) Connect Cyberduck to your iPhoned.) Navigate to the /tmp folder

when i use iphonebrowser, i can see root dir and tmp dir, tmp dir has another 2 dir launchd and payloads.

my question is that is it the same dir where we hav to copy all files, and can i use iphone browser since i have access to those directories.

I don't know what I'm doing wrong, I know I have old bootrom (week 18 manufactured), and 3.1.3 SHSH's on file. I do everything that msft and Movie say to do, I even cooked up my own custom 3.1.3 ipsw with sn0wbreeze. I run the script in MobileTerminal and get the SUCCESSS tag at the bottom, I go to reset my iphone and it won't turn back on. Any help? at all?

The brogster, I am going through the same thing. Guys I have tried the recovery mode too, but it's still giving me 1600 error. Tried both, Mac and PC. Thanks. I gave up..am going to wait for a clean jailbreak solution. I tried several times. Thanks

After rebooting my iphone it went into DFU mode and I can't get out of it. I am trying to restore modded 4.0 or 3.1.3 and I have errors 1601 1602 when doing this. I have 3GS with old bootrom from 17th week. Any ideas?

Jeez, I went through hell one week ago with the final result to be stuck on 3.1.3 (again!).If I knew by then, that a few lines in terminal would make a CFW-update possible.. phew!Thank you very very much!

Damn!!!!!I did everything except copy 3.1.3 files from ORIGINAL firmware and now stuck in DFU!!! is my device toast??please help. What do i do to redo everything just like everybody else?itunes is not helping nor recboot.HELP HELP HELP :(

@Chow, @Ian: Yep, check the latest update (http://code.google.com/p/iphone-img3-flasher/downloads/detail?name=spirit2pwn_r3.zip). It was tested on 4.0.1 and _probably_ works on 4.0 as there were minimal kernel changes. I'll double-check and update this.